Security Advisory: On Locked or Suspended Sites, Customers Can Sign In Using Trusted Tickets

Version 2

    Severity: Medium

     

    Summary: Users who access Tableau Server using trusted authentication can still sign in to sites that have been suspended or locked. Sites can be suspended by a server administrator, and can become locked if the site experiences an import or export failure.

     

    Vulnerable Versions: Tableau Server 8.0, 8.1 (through 8.1.19), 8.2 (through 8.2.11), 8.3 (through 8.3.6),  9.0 (through 9.0.2)

     

     

    Conditions: The issue affects Tableau Server when all of the following conditions are true:

    • The server has multiple sites.
    • The server is configured to use trusted authentication and users have trusted tickets.
    • A site has been suspended or locked.

     

    Impact: A user who has been issued a trusted ticket for a site can gain unauthorized access to a suspended or locked site. This can result in unauthorized modification and disclosure of data.

     

    Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

    Tableau Server 8.1.20

    Tableau Server 8.2.12

    Tableau Server 8.3.6

    Tableau Server 9.0.3

     

    CVSS v2.0 Base Score: 5.4

    CVSS v2.0 Vector: AV:N/AC:M/Au:M/C:P/I:P/A:PFor more information about vectors, see CVSS v2 Vector Definitions on the National Vulnerability Database site.

     

     

    More information